A “Suggested” New Year’s Resolution for Companies: Don’t Cut Your IT Security Budget

A sigh of relief…Many businesses in the U.S., and abroad, are extremely happy to say goodbye to the year 2008, and welcome in 2009. The rollercoaster ride of economic turmoil and uncertainty, that will forever define 2008, has now been replaced with eternal optimism and progress, as we begin the new year. The prospects for the upcoming year could not look any more brighter and positive, because afterall that has happened over the past 12 months, it is not a stretch to say such a statement. Business owners are tightening their budgets and becoming more conservative in their strategies and processes, always looking for the best way to make the dollar work "most efficiently" in their favor. With that said, as business executives begin to examine department budgets for the upcoming year, I would like to offer this advice: Avoid cutting your IT security budget at the expense of trying to save a dollar or two!

IT security expenses are a quantifiable purchase within the organization that, if properly instituted, can be positively realized on the balance sheet. Financial consultants who deem these expenses as "excessive" are not looking at the totality of the risks which could be levied upon the organization as a result of budget cuts. Careful attention and thought should be given to this subject prior to any final determination on whether to cut IT security budgets for 2009. While the costs associated with IT security are quantifiable, what is not quantifiable are the potential exposures to regulatory fines, special and punitive damages, and negative goodwill on the business. It would be easy for a plaintiffs attorney to show "careless disregard" by the organization, if mission-critical data was exposed if the company once had proper IT security procedures in place, but because of budget cuts, removed them from a corporate program.

Denise Dubie, of Network World, recently wrote an article in The New York Times, which addressed the concern that many in the IT industry are worried that revamping and securing operating systems around domain name servers could be put on hold in 2009 because of budget issues. With the discovery of a major DNS flaw in mid-2008, by Seattle-based IT Security expert, Dan Kaminsky, many IT Directors were encouraged to upgrade and patch their DNS systems to guard against any potential threats. However, as of mid-November, 2008, 25% of servers had yet to be upgraded, and one of the main reasons given had to do with "gaining budget approval" to upgrade the servers. Thus, when it comes to examining your IT budget for the 2009, IT security should be spared from the "chopping block", especially when it comes to network infrastructure, otherwise the company could be leaving itself exposed to both technical AND legal problems.